tv Interview with Representative-elect Darren Soto D-FL CSPAN December 15, 2016 4:29am-4:41am EST
sort of built-in backdoors, or key escrow or design mandates o allow for lawful access. that, unfortunately, is a likely -- likely to make our currently horribly weak and fragile infrastructure much weaker and much more fragile, discourage the use of tools like cryptography, discourage the use of good security practices and create centralized points of failure where none currently exist or need to exist. o, i think there are compelling reasons to very strongly oppose any kinds of design mandates of the kinds that are being advocated for. hat said, as we can see by the
expansion of rule 41, in many, and i would argue the majority of cases, search of the endpoint by exploitation of vulnerabilities and so forth is a viable alternative. we are seeing it done. t's happening. the legal rules for that are unclear. rule 41 changes the first sort of codified -- the rule 41 change is the first sort of codified place, where we are seeing it addressed, and i think it really does need to be addressed by congress. i think this has been done for a while, and it is going to scale up. we need to confront, in law and policy, what the rules for that going forward are going to be, as it scales up. >> you can go ahead, i will follow.
>> i don't think there are a lot of people in the private communities who are fans of government hacking, but we also -- if there is going to be a continuing increase in the deployment of strong encryption tools, which we are a fan of, and there's not some sort of mandate that that data be accessible by the government, which we are not a fan of, there will be more government hacking whether we like it or not. the question is, what are the rules for that activity? i just want to flag a bit concerned that sort of brings together both of these issues, and highlights the need for, amongst others, congressional action, which is how they might mplement that government hacking in a way that would basically be a back door and heard all of our digital health. that is subverting the software update systems, through which we receive all of our security updates from the companies. this is an idea that is
occasionally tossed around as a potential way to deliver malware to access encrypted data. i think it would be an incredibly dangerous thing, yet, i also think our current technical assistance provisions around surveillance could be read potentially by a court to allow this sort of thing. why is this a bad idea? because we're basically in a digital public health crisis. we are facing many grave ills. the medicine that we get for that, the vaccines that we receive, come through these secure update channels from the companies. if and when it becomes public that the government has subverted that trusted channel to actually decrease our privacy and security, you will have a lot more people avoiding those updates, and it is sort of like people who are not vaccinating against diseases.
when they make that choice, they are making us all less safe, because they become hosts for the things that might infect us. i just want to put a strong stick in the ground to flag, this is a huge risk. it is a path we definitely don't want to take. from what it is worth, our host julian has written about this point, as well as several others. i think it's important. >> i just want to pull it back to the international perspective on this. we have to remember that the internet does not stop at the atlantic and pacific oceans on either side of the united states. it is used globally. there's the growing dark perspective. america's rhetoric on whether or not we are going to undermine encryption or whether not that is acceptable has provided a lot of wiggle room for other countries to pass laws or implement policies that do undermine encryption, either give them authority to outlaw and to end encryption from being used by companies -- in some cases, there are laws that
require and uses to install backdoors on all of their devices within specific countries. there is that element, while at the same time we are talking about government hacking without having rules for it. we are seeing other countries also pick up on that. in the u k, for example, we just had a lot received royal assent, the investigatory powers bill, that formalizes you -- the u.k. government hacking authority, that might allow the uk government from an objective read to try to force companies to implement backdoors and security updates. by not acting in and out front way to protect privacy in law affirmatively, we are not only allowing conversations to wither and die in the u.s., but we are allowing great room for security to be lowered across the board outside of the
country. those effects are going to be felt in the united states without question. >> richard, did you want to weigh in on that? i know you are concerned about the international climate. >> certainly, speaking to the international question, this idea that u.s. policy, which i think has been pretty equivocal on the subject to remain the motivator, despite would other countries do, things that we may not like, i think this is issing the mark. other countries face the very same public security and national security problems we do. i suspect it will try to address their problems as best they can within their political system, regardless of our positions on these rings, but certainly regardless of the middle road we seem to have taken. that me address a couple of
other things. i think as far as is this a solution to the growing dark problem? i agree with comments that have been made so far. i think it will inevitably going to be -- be part of what the government will do. certainly when there is an opportunity, like the san bernardino case, where a tool comes available to execute a warrant, it's going to be used. i think we should also be clear it is by no means a 100% solution to that problem. that is for a couple of different reasons. investigations, at least on the law enforcement side, need to be targeted and timely and calculated to produce admissible evidence. each of those three things can have some difficulties. targeted -- if you have a particular offender who you believe may be committing some serious crimes, it can't be a perfect solution if you are lucky enough to have that person be using and having an operating system that you have a tool to address. it's going to be a catch as
catch can situation at best. also, it is timely. is that tool available now or do we have to wait a long time as in months and months from the san bernardino case? or, friendly, in the case of hackers trying to break into something, they generally do it over a period of time, and spend a lot of energy doing that. it may not be acceptable in the context of a law enforcement investigation. and then the admissible evidence question, i don't with a little already. let me offer one other counterpoint. matt said that the common thing we have heard, from a number of places, about creating a mandate or backdoor solution, would had three this -- previous -- grievous security harm to the average person and the users. i would encourage us to ask for the evidence on that, to probe
this question further. if you look at the way companies and agencies and individuals behave, these and to end solutions, or solutions that don't allow interference in the middle, are not the norm. if you look at the department of justice, which is extremely concerned about security, there is an app that sits in the background on my phone that lets the government have access to the device when it is needed. and yet, that is exactly what the problem was in the san bernardino case with the ios. when you talk to network defenders, they are worried about and to end the corruption -- end-to-end decryption, because when you have phishing schemes that are going after access to the networks and it's much harder to intercept those things and block them at the gateway.
if the communication is encrypted into end and unavailable to the individual. individual. and then you would have to ask questions like why is it that gmail doesn't use that kind of encryption, that makes it inaccessible to the provider, hy is that not a backdoor? why are we not saying to gmail, how dare you access your customer's emails in order to sell advertising to them? or, put it another way, if we are ok with gmail doing that, why are we not ok with having the public security benefits of it, on those just as important as the ability to sell advertising to customers? i will encourage you to ask this question in a more deep way. what is the security benefit here, and is that worth it when it comes to public safety harm, resulting from the end-to-end encryption by default. and now, we turn it over to the olves over here. >> we can leave a little time for questioning.
>> i will just say, i find it shocking in an age where we are seeing a former secretary of state, a major political party hack, sony hack, their emails spilling everywhere, these nude photos coming out of icloud, that it is hard to recognize the security value of using a more secure option is. i think there a lot of people, especially in politics and hollywood now, using email less because it is riskier. no one saying gmail is super insecure, but it is certainly less secure than an end to end solution, and we need to be promoting the spread of that technology rather than trying to dampen it considering just how dire our cyber secret situation is. >> counterpoint. how were those computers hacked? was it through phishing? because if it was, that is going to make it worse in a situation where end to end encryption comes into play. >> great.